CN109766688A - A kind of Linux program run time verification based on Merkle tree and management-control method and system - Google Patents
A kind of Linux program run time verification based on Merkle tree and management-control method and system Download PDFInfo
- Publication number
- CN109766688A CN109766688A CN201811488026.XA CN201811488026A CN109766688A CN 109766688 A CN109766688 A CN 109766688A CN 201811488026 A CN201811488026 A CN 201811488026A CN 109766688 A CN109766688 A CN 109766688A
- Authority
- CN
- China
- Prior art keywords
- program
- linux
- manufacturer
- suse
- merkle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention belongs to safety of computer operating system to enhance technical field, and in particular to a kind of Linux program run time verification based on Merkle tree and management-control method and system.The present invention has used for reference IMA framework and Merkle Hash tree method, is changed into when being really loaded into memory and when operation when by program measurement opportunity by starting, program measure object is changed into the segment of program code segments by program code segments.Since Linux application program is generally multiple segments by operating system cutting, and each segment is only loaded into memory from disk when actually accessed, thus the present invention is no longer in such a way that IMA verifies entire executable program file when program starts, then the integrality of the segment is verified in the practical loading of usability of program fragments, and carry out control processing.Measurement and mechanism of control when the present invention provides a safe and reliable program operation for the computer equipment using (SuSE) Linux OS.
Description
Technical field
The invention belongs to safety of computer operating system to enhance technical field, and in particular to a kind of based on Merkle tree
Linux program run time verification and management-control method and system.
Background technique
With the continuous development of all kinds of computer systems, various forms of computer systems have been deep into each neck of society
Domain, every aspect, play an increasingly important role, and especially mobile intelligent terminal and tablet computer etc. have led in recent years
It crosses the application scenarios such as mobile payment, mobile office and is widely used in carrying and all kinds of privacies of processing and confidential information.Due to involved
The value of information is higher and higher, and computer system has become the target that attacker carries out system destruction and information stealth.
Reliable computing technology be it is a kind of based on hardware root of trust, using measurement and trust chain as the novel peace of technical way
Full technology.By trusting with since hardware, reliable computing technology loads the method structure of level-one, level metric level-one by level-one
Inside manufacturing apparatus or the trust chain between equipment and equipment, thus the unauthorized program in time, reliably run in discovery system
(potential rogue program) and perform corresponding processing (audit, control and remote proving).Reliable computing technology especially suitable for
It is protected to the calculating equipment required compared with high safety.
As an important ring for trust chain constructed by reliable computing technology, operating system nucleus needs measurement to be started
Each application program.Currently, most representational kernel measurement technology was IBM TJ.Wason research institute, the U.S. in 2004
The IMA (Integrity Measurement Architecture) of proposition measures framework, and the framework is from after 2.6.30 version
Received by Linux foundation for kernel main line code and in continuous renewal.
IMA framework selects to open in program using measurement technology when a kind of starting to the measurement opportunity of application program
When dynamic.Since such measurement technology can largely ensure the integrality of performed program, but program (will not be opened
After dynamic) operation generation any influence, good tradeoff is achieved between security of system and performance, thus be widely recognized as
And receiving.But by years of researches and development, some shortcomings of IMA is also constantly exposed.First is that IMA framework makes
Calling program must just be read out entire program (code segment part) when starting, this is patrolled in primary Linux program starting
Having additionally introduced a large amount of disk I/O operation except volume, (reading program can be held when primary Linux program starts and creates process
A part of line program), hence it is evident that reduce the performance of program load starting.Second be in IMA framework usability of program fragments by measurement and
There may be long time intervals between when actual motion, this gives the biggish opportunity of opponent.
Summary of the invention
Measurement technology (such as the integrity measurement frame of Linux when it is an object of the invention to use for reference the starting of Linux program
Structure, i.e. IMA framework) and Merkle Hash tree method, be changed into when being really loaded into memory when by program measurement opportunity by starting and
When operation, program measure object is changed into the segment of program code segments by program code segments, to be to operate using Linux
Measurement and mechanism of control, guarantee specified executable file when the computer equipment of system provides a safe and reliable program operation
It is verified at runtime, card can be stayed when being not affected by and distort when ensureing its operation, or distorting in time.
The present invention is a kind of Linux program run time verification and management-control method based on Merkle tree, building principle and
Steps are as follows:
1) Linux application program is divided into the segmentation with paging same size, and is segmented into leaf section with each
Point generates all non-leaf nodes of Merkle Hash tree for the code segment of the application program;
2) it is based on the Merkle Hash tree, program is measured into opportunity from postponing when executable program file starting to that can hold
When the practical loading memory of line program file;
3) it is based on the Merkle Hash tree, program measure object is really needed from executable program file transformation in planta
It is loaded into the usability of program fragments of memory.
Further, the method for the present invention includes preparation stage, System guides stage and system operation phase, illustrate as
Under:
1. the preparation stage:
A) computer equipment manufacturer, (SuSE) Linux OS manufacturer and application program manufacturer: common definition one needs to protect
Collection of programs, be labeled as TA={ ta1, ta2..., taN, wherein tai(i=1,2 ... N) indicate a program;In addition it assists
The a set of disclosed cryptography parameter of quotient;
B) computer equipment manufacturer: according to the public cryptography parameter in step 1.a), generate an asymmetric key pair <
PKC,SKC>;Use the firmware for supporting UEFI interface as first starting device of complete machine, and built-in < PK whereinC,SKC>
Public key portion PKC;
C) application program manufacturer: when manufacturer generates application program, increase an extended attribute section in a program, and in the section
It is middle to increase a label, mark whether the program belongs to TA;To each program in TA, it is divided into and Installed System Memory paging
The segmentation (usually 4KB) of same size, is then segmented into leaf node with each, generates Merkle for the program code segments and breathes out
All non-leaf nodes of uncommon tree;
D) (SuSE) Linux OS manufacturer: according to the public cryptography parameter in step 1.a), a unsymmetrical key is generated
To < PKL,SKL>;
E) (SuSE) Linux OS manufacturer: SK is utilizedLNumber label are generated for the root node of the Merkle Hash tree of above procedure
Name, to be identified as taiRoot node be ROOTiFor, the digital signature of generation is SigSKL(ROOTi);
F) (SuSE) Linux OS manufacturer: when generating (SuSE) Linux OS mirror image, by the number of program ta all in TA
Sign SigSKL(ROOTi) and Merkle tree node be unifiedly stored to " signature area " of kernel file system;
G) (SuSE) Linux OS manufacturer: in original inode node (index node) the data knot of operating system file system
Increase a Boolean type variable ta in structure, for recording whether the program is program in TA, to program in non-TA, ta==0,
To program in TA, ta==1;
H) (SuSE) Linux OS manufacturer: in original memory mapping (mmap ()) system of operating system nucleus is called, increase
Add to program whether be program in TA decision logic;
I) (SuSE) Linux OS manufacturer: in the original page fault processing routine of operating system nucleus, increase slice
Section measurement and verifying logic;
J) computer equipment manufacturer: SK is utilizedC, it is digitally signed for kernel provided by (SuSE) Linux OS manufacturer,
Obtain SigSKC(KERNEL)。
2. the System guides stage (operating system security vectoring phase):
In computer system starting, system starting firmware in embedded digital signature (and signature verification) algorithm routine with
And operating system mirror image proving program, clean boot firmware is formed, the digital signature of (SuSE) Linux OS kernel mirror image is carried out
Verifying, start-up operation system kernel and system application in a secure manner, guarantee kernel and system application can
Letter property.
3. the system operation phase:
A) Program Type determines: all mmap () system will be called to call thus by executable journey when any program starts operation
Sequence (code segment) is mapped to memory, and the decision logic newly increased using step 1.h) reads the extended attribute of this document and judgement
Whether the program is program in TA:
I. if it is not, then rewriting ta in the corresponding memory inode node of executable program file is " 0 ", continue
It is normally executed according to original step;
Ii. if it is, rewriting ta in the corresponding memory inode node of executable program file is " 1 ".
B) program measurement and control: when any program actual motion, by actual access usability of program fragments and causing page faults,
Using the step 1.i) measurement newly increased and verifying logic, program is measured first, and measurement results are stored in memory
Measurement results list in, then according to Merkle tree node and root node digital signature corresponding to program, verifying is current
The usability of program fragments for calling in memory is then taken action according to system configuration in case of mistake, such as directly program can be prevented to hold
Row, or allow execution but user's sending prompt, or run and execute but audit log is written into error message.
C) system optimization:
Step 3.b) described in measurement and verifying logic, can optimize with the following method: measurement in memory
Increase by one DC in the results list, the segment of all executable files measured, the position is arranged to CLEAN, and all appearance can
The position is then DIRTY by the case where execution is modified;Step 3.b) it is described measurement with verifying logic can only spend
The amount DC file fragments for DIRTY.
D) user management: application layer provides interface, opens or closes safe bootstrap, in operating system nucleus for user
Program measurement or program manage function;Application layer should also provide interface, indicate journey included in modification signature area for user
Sequence and its signature.
Accordingly with above method, the present invention also provides a kind of Linux program run time verification based on Merkle tree with
Managing and control system comprising:
Merkle Hash tree constructs module, is responsible for for Linux application program being divided into point with paging same size
Section, and it is segmented into leaf node with each, all non-leaf sections of Merkle Hash tree are generated for the code segment of the application program
Point;
Program measures opportunity and manages module, is responsible for being based on the Merkle Hash tree, and program is measured opportunity from executable
When program file postpones loading memory practical to executable program file when starting;
Program measure object manages module, is responsible for being based on the Merkle Hash tree, by program measure object from executable
Program file transformation in planta is to really need the usability of program fragments for being loaded into memory.
The present invention also provides a kind of computer equipments using (SuSE) Linux OS comprising recited above to be based on
The Linux program run time verification and managing and control system of Merkle tree.
Advantages of the present invention is as follows:
1. compared to existing process integrity measure and manage technology, the opportunity that program measure by the present invention from can be performed
When postponing loading memory practical to executable file when file start, by the object of program measurement from executable file transformation in planta
To really need the usability of program fragments for being loaded into memory, to whole readings of executable and password when avoiding program starting
Hash Value calculating process, to simplify measure object in the case where not reducing safety.
2. the present invention also reduces time interval of the program by measurement and actual motion when, (measurement generation of the invention is being asked
Usually all it is the usability of program fragments practical preamble moment being accessed when asking paging), to improve security of system.Relative to biography
System IMA mechanism, the present invention is smaller on performance influence when system starting (to be only loaded into a small amount of slice of memory when measurement starting
Section), and reduce attack time that rogue program can utilize (shorten program by between measurement and actual access when
Between be spaced).
Detailed description of the invention
Fig. 1 is the flow chart of the method for the present invention preparation stage.
Fig. 2 is the method for the present invention System guides and operation phase completeness check schematic diagram.
Fig. 3 is Merkle Hash tree schematic illustration, and wherein Block indicates data block, and Hash indicates cryptographic Hash, Root
Hash is the root node of Merkle tree.
Specific embodiment
Below for realizing application program measurement and control in common PC equipment, illustrate specific implementation side of the invention
Formula.
The present invention proposes a kind of Linux program run time verification and management-control method based on Merkle tree, for this field
Technical staff for, can with reference to this method design, realize out corresponding system security protection system.
The Linux program run time verification and management-control method based on Merkle tree of the present embodiment, the process of preparation stage
As shown in Figure 1, System guides and operation phase completeness check process as shown in Fig. 2, specifically includes the following steps:
1. computer equipment manufacturer, (SuSE) Linux OS manufacturer, application program manufacturer: following step 1 in summary of the invention
Sub-step a), negotiate using in linux system /sbin catalogue and/bin catalogue under all programs as TA, follow simultaneously
China's commercial cipher algorithm standard rules (including SM2 public key cryptography algorithm standard rules and SM3 cryptographic Hash algorithm standard rules), wherein SM2
The parameter that algorithm is recommended using national Password Management office.
2. computer equipment manufacturer: following the sub-step b) of step 1 in summary of the invention, generate SM2 key pair < PKC,SKC>;
The built-in PK in the PC starting firmware device for meeting UEFI interface specificationC, and it is real according to the cryptography parameter that above-mentioned steps determine
Existing cryptographic algorithm library, and apply SM2/SM3 algorithm and PKCThe programmed logic of kernel measurement and digital signature verification is carried out,
For verifying SigSKC(KERNEL) (digital signature is generated by following steps 6).If computer equipment starting firmware it
Also use booting operating system program outside, then it is same to realize SM2/SM3 algorithm and measurement in booting operating system program
With digital signature verification logic, the specified PK of built-in manufacturerC。
3. application program manufacturer: the sub-step c) of step 1 in summary of the invention is followed, is application program provided by itself,
Such as the program under/bin catalogue, Merkle tree information is calculated, (SuSE) Linux OS manufacturer is supplied to;Similar, Linux behaviour
Merkle can also be calculated to the certain system applications oneself provided, such as the program under/sbin catalogue by making system manufacturer
Set information;Fig. 3 is Merkle Hash tree schematic illustration.
4.Linux operating system manufacturer: sub-step d)~f of step 1 in summary of the invention is followed), it is negotiated according to public
Cryptography parameter, generate SM2 key pair < PKL,SKL>, as shown in Figure 1;Secondly, according to application vendor and itself generate
The Merkle tree information of application program, generates the digital signature of the Merkle root vertex of each application program;It again, is operation
One disk partition of system kernel and application program specific assigned is (to ensure that the size of the subregion will not be with computer system
Use and change), it is then that the storage of the above-mentioned metric and digital signature of application program is unappropriated into the subregion
In disk space.
5.Linux operating system manufacturer: sub-step g)~i of step 1 in summary of the invention is followed), in used standard
On the basis of linux kernel, the logic flow in the data structure and mmap () system calling in inode node is modified, is increased
Add the judgement for application integrity.
6. computer equipment manufacturer: following the sub-step j) of step 1 in summary of the invention, utilize SKC, for Linux operation system
Kernel KERNEL provided by system manufacturer is digitally signed, and obtains SigSKC(KERNEL)。
The 7.Linux System guides stage: following the step 2 in summary of the invention, forms clean boot firmware and on startup
The digital signature for verifying (SuSE) Linux OS kernel mirror image, guarantees the credibility of kernel mirror image.
The 8.Linux system operation phase: sub-step a)~b of step 3 in summary of the invention is followed), it is wanted to any in system
The program of starting carries out Program Type judgement, program measurement and control;Program can be measured and be managed according to the sub-step c) of step 3
Control optimizes, and reduces the program code amount measured, improves efficiency;The sub-step d) of follow procedures 3 is user in application layer
Management interface is provided, the function of signing for measurement, control and the modification program in user management kernel.
Another embodiment of the present invention provides a kind of Linux program run time verification and managing and control system based on Merkle tree,
Comprising:
Merkle Hash tree constructs module, is responsible for for Linux application program being divided into point with paging same size
Section, and it is segmented into leaf node with each, all non-leaf sections of Merkle Hash tree are generated for the code segment of the application program
Point;
Program measures opportunity and manages module, is responsible for being based on the Merkle Hash tree, and program is measured opportunity from executable
When program file postpones loading memory practical to executable program file when starting;
Program measure object manages module, is responsible for being based on the Merkle Hash tree, by program measure object from executable
Program file transformation in planta is to really need the usability of program fragments for being loaded into memory.
The specific implementation of above-mentioned each module sees above the explanation to specific method.
Another embodiment of the present invention provides a kind of computer equipments using (SuSE) Linux OS comprising described above
The Linux program run time verification and managing and control system based on Merkle tree.
Although disclosing specific embodiments of the present invention for the purpose of illustration, its purpose is to help understand the content of the present invention
And implement accordingly, it will be appreciated by those skilled in the art that: in the spirit and model for not departing from the present invention and the attached claims
In enclosing, various substitutions, changes and modifications are all possible.Therefore, the present invention should not be limited to interior disclosed in most preferred embodiment
Hold, the scope of protection of present invention is subject to the scope defined in the claims.
Claims (10)
1. a kind of Linux program run time verification and management-control method based on Merkle tree, step include:
1) Linux application program is divided into the segmentation with paging same size, and is segmented into leaf node with each, be
The code segment of the application program generates all non-leaf nodes of Merkle Hash tree;
2) it is based on the Merkle Hash tree, is postponed when program measurement opportunity is started from executable program file to executable journey
When the practical loading memory of preface part;
3) it is based on the Merkle Hash tree, program measure object is really needed into load from executable program file transformation in planta
Enter the usability of program fragments of memory.
2. the method as described in claim 1, which is characterized in that run rank including preparation stage, System guides stage and system
Section.
3. method according to claim 2, which is characterized in that the preparation stage includes:
A) one computer equipment manufacturer, (SuSE) Linux OS manufacturer and application program manufacturer common definition need journey to be protected
Ordered sets is labeled as TA={ ta1, ta2..., taN, in addition negotiate a set of disclosed cryptography parameter;
B) computer equipment manufacturer generates an asymmetric key pair < PK according to the public cryptography parameter in step a)C,SKC
>;Use the firmware for supporting UEFI interface as first starting device of complete machine, and built-in < PK whereinC,SKC> public key portion
PKC;
C) when application program manufacturer generates application program, increase an extended attribute section in a program, and increase by one in this paragraph
A label, marks whether the program belongs to TA;To each program in TA, it is divided into and Installed System Memory paging same size
Segmentation, be then segmented into leaf node with each, for the program code segments generate Merkle Hash tree all non-leaf sections
Point;
D) (SuSE) Linux OS manufacturer generates an asymmetric key pair < PK according to the public cryptography parameter in step a)L,
SKL>;
E) (SuSE) Linux OS manufacturer utilizes SKLRoot node for the Merkle Hash tree of above procedure generates digital signature, with
It is identified as taiRoot node be ROOTiFor, generate SigSKL(ROOTi);
F) (SuSE) Linux OS manufacturer is when generating (SuSE) Linux OS mirror image, by the digital signature of program ta all in TA
SigSKL(ROOTi) and Merkle tree node be unifiedly stored to " signature area " of kernel file system;
G) (SuSE) Linux OS manufacturer increases a cloth in the original inode node data structures of operating system file system
Your type variable ta, for recording whether the program is program in TA, to program in non-TA, ta==0, to program in TA, ta
==1;
H) (SuSE) Linux OS manufacturer increases in original memory mapping the mmap () system of operating system nucleus is called to journey
Sequence whether be program in TA decision logic;
I) (SuSE) Linux OS manufacturer increases usability of program fragments degree in the original page fault processing routine of operating system nucleus
Amount and verifying logic;
J) computer equipment manufacturer utilizes SKC, it is digitally signed, obtains for kernel provided by (SuSE) Linux OS manufacturer
SigSKC(KERNEL)。
4. method as claimed in claim 3, which is characterized in that the System guides stage includes: in computer system starting
When, embedded digital signature and signature verification algorithm routine and operating system mirror image proving program in system starting firmware, shape
At clean boot firmware, the digital signature of (SuSE) Linux OS kernel mirror image is verified, in a secure manner start-up operation system
System kernel and system application guarantee the credibility of kernel and system application.
5. method as claimed in claim 4, which is characterized in that the system operation phase includes:
(a) Program Type determines: all mmap () system will be called to call thus by executable program when any program starts operation
Be mapped to memory, the decision logic newly increased using step h), read the extended attribute of this document and judge the program whether be
Program in TA;
(b) program measurement and control: when any program actual motion, by actual access usability of program fragments and cause page faults, benefit
With the step i) measurement newly increased and verifying logic, program is measured first, and measurement results are stored in the degree in memory
It measures in the results list, then according to Merkle tree node and root node digital signature corresponding to program, verifying is currently called in
The usability of program fragments of memory is then taken action according to system configuration in case of mistake;
(c) user management: application layer provides interface, opens or closes safe bootstrap, in operating system nucleus for user
Program measurement or program manage function;Application layer should also provide interface, indicate program included in modification signature area for user
And its signature.
6. method as claimed in claim 5, which is characterized in that the step (b) optimizes with the following method: in memory
In measurement results list in increase by one DC, the segment of all executable files measured, the position is arranged to CLEAN,
It is all the case where executable program file is modified occur, then it is DIRTY by the position;The measurement only measures DC with verifying logic
Position is the file fragment of DIRTY.
7. method as claimed in claim 5, which is characterized in that involve starting up firmware and booting operating system program, operation
System kernel and user supervisor three parts.
8. the method for claim 7, which is characterized in that rely on the number of starting firmware and booting operating system program
Signature check function, safety guide operating system nucleus to ensure the integrality of kernel;Rely on the verifying and control in kernel
Logic verifies the integrality of specified application;Dependent on user supervisor, verifying function is opened or closed, changes TA collection
Close range.
9. a kind of Linux program run time verification and managing and control system based on Merkle tree characterized by comprising
Merkle Hash tree constructs module, is responsible for Linux application program being divided into the segmentation with paging same size, and
It is segmented into leaf node with each, all non-leaf nodes of Merkle Hash tree are generated for the code segment of the application program;
Program measures opportunity and manages module, is responsible for being based on the Merkle Hash tree, and program is measured opportunity from executable program
When postponing loading memory practical to executable program file when file start;
Program measure object manages module, is responsible for being based on the Merkle Hash tree, by program measure object from executable program
File transformation in planta is to really need the usability of program fragments for being loaded into memory.
10. a kind of computer equipment using (SuSE) Linux OS, which is characterized in that be based on including as claimed in claim 9
The Linux program run time verification and managing and control system of Merkle tree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811488026.XA CN109766688B (en) | 2018-12-06 | 2018-12-06 | Merkle tree-based Linux program runtime verification and management and control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811488026.XA CN109766688B (en) | 2018-12-06 | 2018-12-06 | Merkle tree-based Linux program runtime verification and management and control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109766688A true CN109766688A (en) | 2019-05-17 |
| CN109766688B CN109766688B (en) | 2021-05-18 |
Family
ID=66450556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811488026.XA Active CN109766688B (en) | 2018-12-06 | 2018-12-06 | Merkle tree-based Linux program runtime verification and management and control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109766688B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111177703A (en) * | 2019-12-31 | 2020-05-19 | 青岛海尔科技有限公司 | Method and device for determining data integrity of operating system |
| CN111273952A (en) * | 2020-02-15 | 2020-06-12 | 山东超越数控电子股份有限公司 | Trusted recovery updating method and device |
| CN113553231A (en) * | 2021-07-01 | 2021-10-26 | 江苏电力信息技术有限公司 | Embedded operating system operating environment monitoring method based on security chip |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101310256A (en) * | 2005-11-14 | 2008-11-19 | 微软公司 | Asynchronous just-in-time compilation |
| CN102986163A (en) * | 2010-03-05 | 2013-03-20 | 交互数字专利控股公司 | Method and apparatus for providing security to devices |
| CN108460293A (en) * | 2017-02-22 | 2018-08-28 | 北京大学 | A kind of application integrity multistage checking mechanism |
-
2018
- 2018-12-06 CN CN201811488026.XA patent/CN109766688B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101310256A (en) * | 2005-11-14 | 2008-11-19 | 微软公司 | Asynchronous just-in-time compilation |
| CN102986163A (en) * | 2010-03-05 | 2013-03-20 | 交互数字专利控股公司 | Method and apparatus for providing security to devices |
| US20130198838A1 (en) * | 2010-03-05 | 2013-08-01 | Interdigital Patent Holdings, Inc. | Method and apparatus for providing security to devices |
| CN108460293A (en) * | 2017-02-22 | 2018-08-28 | 北京大学 | A kind of application integrity multistage checking mechanism |
Non-Patent Citations (2)
| Title |
|---|
| DAN WILLIAMS: "Optimal Parameter Selection for Efficient Memory Integrity Verification Using Merkle Hash Trees", 《PROCEEDINGS OF THE THIRD IEEE INTERNATIONAL SYMPOSIUM ON NETWORK COMPUTING AND APPLICATIONS》 * |
| 刘孜文: "基于可信计算的动态完整性度量架构", 《电子与信息学报》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111177703A (en) * | 2019-12-31 | 2020-05-19 | 青岛海尔科技有限公司 | Method and device for determining data integrity of operating system |
| CN111177703B (en) * | 2019-12-31 | 2023-03-31 | 青岛海尔科技有限公司 | Method and device for determining data integrity of operating system |
| CN111273952A (en) * | 2020-02-15 | 2020-06-12 | 山东超越数控电子股份有限公司 | Trusted recovery updating method and device |
| CN113553231A (en) * | 2021-07-01 | 2021-10-26 | 江苏电力信息技术有限公司 | Embedded operating system operating environment monitoring method based on security chip |
| CN113553231B (en) * | 2021-07-01 | 2023-08-22 | 江苏电力信息技术有限公司 | Embedded operating system running environment monitoring method based on security chip |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109766688B (en) | 2021-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8850212B2 (en) | Extending an integrity measurement | |
| CN102103673B (en) | Providing integrity verification and attestation in a hidden execution environment | |
| CN103914658B (en) | Safe starting method of terminal equipment, and terminal equipment | |
| US7318150B2 (en) | System and method to support platform firmware as a trusted process | |
| CN103093150B (en) | A kind of dynamic integrity protection method based on credible chip | |
| CN107679393B (en) | Android integrity verification method and device based on trusted execution environment | |
| US10771264B2 (en) | Securing firmware | |
| US11379586B2 (en) | Measurement methods, devices and systems based on trusted high-speed encryption card | |
| CN108351937A (en) | Computing device | |
| EP2126770B1 (en) | Trusted computing entities | |
| KR101276409B1 (en) | System and method for n-ary locality in a security co-processor | |
| US10565382B1 (en) | Maintaining keys for trusted boot code | |
| TW201500960A (en) | Detection of secure variable alteration in a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware | |
| CN109766688A (en) | A kind of Linux program run time verification based on Merkle tree and management-control method and system | |
| JP2005527019A (en) | Multi-token seal and seal release | |
| CN110263545A (en) | A kind of start-up course integrity measurement detection method based on android system | |
| US20200117804A1 (en) | Secure management and execution of computing code including firmware | |
| CN106096418A (en) | SELinux-based startup security level selection method and device and terminal equipment | |
| CN113448681B (en) | Registration method, equipment and storage medium of virtual machine monitor public key | |
| US11689365B2 (en) | Centralized volume encryption key management for edge devices with trusted platform modules | |
| Yao et al. | Building Secure Firmware | |
| US20080271145A1 (en) | Tamper indication system and method for a computing system | |
| CN109697351A (en) | A kind of credible measurement system and method | |
| Akram et al. | An introduction to the trusted platform module and mobile trusted module | |
| US20200235917A1 (en) | Shared secret generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Luohu District Shenzhen Shennan Road 518000 No. 4020 Guangdong provincial power dispatching center building Applicant after: SHENZHEN POWER SUPPLY BUREAU Co.,Ltd. Applicant after: Institute of Software, Chinese Academy of Sciences Applicant after: China Southern Power Grid Research Institute Co.,Ltd. Address before: 100190 No. four, 4 South Street, Haidian District, Beijing, Zhongguancun Applicant before: Institute of Software, Chinese Academy of Sciences Applicant before: China Southern Power Grid Research Institute Co.,Ltd. Applicant before: SHENZHEN POWER SUPPLY BUREAU Co.,Ltd. |
|
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Lv Zhining Inventor after: Xi Wei Inventor after: Kuang Xiaoyun Inventor after: Yao Hao Inventor after: Yu Yang Inventor after: Ning Baifeng Inventor after: Luo Weifeng Inventor after: Liu Wei Inventor after: Deng Wei Inventor after: Qin Yu Inventor after: Chu Xiaobo Inventor after: Zhao Shijun Inventor after: Feng Wei Inventor before: Qin Yu Inventor before: Ning Baifeng Inventor before: Luo Weifeng Inventor before: Liu Wei Inventor before: Deng Wei Inventor before: Chu Xiaobo Inventor before: Zhao Shijun Inventor before: Feng Wei Inventor before: Kuang Xiaoyun Inventor before: Xi Wei Inventor before: Yao Hao Inventor before: Yu Yang Inventor before: Lv Zhining |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |